a blog by Sander Berkouwer

When you get serious about security in Hybrid Identity implementations, you would opt to implement AD FS servers and Web Application Proxies as Server Core installations. However, this poses a slight problem with the Azure AD Connect Health Agent for AD FS, because at first glance, you can’t configure it on Server Core installations of Windows Server.

I have the Azure AD Connect Health Agent for AD FS working on my Server Core-based Active Directory Federation Services (AD FS) servers and my Web Application Proxies. I’ve gone back and forth and have successfully used the method below on AD FS Servers and Web Application Proxies running:

Azure AD Connect Health agent for AD FS

After installation, the agent needs to be configured to communicate to the Azure Active Directory tenant, that is part of the Hybrid Identity implementation. During configuration, the agent, therefore, asks for global admin credentials.

When communicating to the Azure AD Connect Health service, the Azure AD Connect Health agent for AD FS communicates to several endpoints and sets up outgoing connections, based on TCP 80, TCP443 and TCP5671.

In the new pane, in the Get Tools section, click the link Download Azure AD Connect Health Agent for AD FS.

Save the AdHealthAdfsAgentSetup.exe to an easy accessible location.

Step 2. Getting the installer on the Server Core installations

There are several ways to get the installer for Azure AD Connect Health Agent for AD FS onto Server Core installations. While some prefer the file share method, this is not particularly useful in scenarios where the Web Application Proxies are placed in a strictly managed perimeter network, where you’d have RDP access, at best.

There’s a little trick I use to get the files I need onto Server Core installations, making clever use of the built-in functionality of RDP and Notepad.

While you could get fooled into believing you don’t have File Explorer-like functionality on Server Core installation, Notepad actually offers this functionality as part of its File, Open dialogue screens.

I perform these steps:

On the Windows installation where you previously downloaded the installer for Azure AD Connect Health Agent for AD FS, select the installer by left-clicking it. Then, right-click it and select Copy from the context menu.

Log on to the Server Core installation using RDP with default settings, using the Remote Desktop Connection (mstsc.exe)

On the Server Core’s command line, type Notepad.exe.

In Notepad, click on File in the menu bar, and then click Open.

In the Open dialogue window, select the option All Files instead of the default Text Documents (.txt) for Files of type:.

Navigate to a folder where you can easily access the installer from the command line. As I prefer short command lines, I usually place installers in the root of the C:\ drive.

Click in an empty space in the folder where you’d want to place the installer, and type Ctrl and V at the same time, to paste the installer in the location.

Verify the file was pasted into the location and then click Cancel in the Open dialogue window.

The Azure AD Connect Health Agent for AD FS configuration will fail, stating the following error:

Register-AzureADConnectHealthAgent: The type initializer for ‘Microsoft.identityModel.Clients.ActiveDirectory.Internal.

WindowsFormsWebAuthenticationDialogBase’ threw an exception.

This is expected.

A log file is created. When you go through the log file, you’ll notice a line stating

Unable to load DLL ‘IEFRAME.dll’: The specified module could not be found. (Exception from HRESULT: 0x8007007E)

Here is the cause of the failure. Internet Explorer is not availabile on Server Core installations and the Azure AD Connect Health Agent for AD FS tries to leverage Internet Explorer to display the login prompt for Azure Active Directory, using the Azure Active Directory Authentication Libraries (ADAL) experience.

Step 4. Configuring the Azure AD Connect Health AD FS Agent

Luckily, the Azure AD Connect Health Agent for AD FS provides information how to solve this situation. To solve this issue, we are advised to run the Register-AzureADConnectHealthADFSAgent PowerShell Cmdlet manually.

Now, of course, strictly running it results in the same error. Therefore, we run it slightly different, in a way that consists of two lines of PowerShell code:

$cred = Get-Credential

Register-AzureADConnectHealthADFSAgent -Credential $cred

After the first line of PowerShell, we are prompted for credentials. We need to enter the userPrincipalName and password for an account in Azure Active Directory with Global Admin (Company Administrator) privileges in the Azure AD Tenant and does not have multi-factor authentication enabled.

Note:
Enforcing multi-factor authentication on privileged accounts in Azure Active Directory is a best practice, and actually free for admins. However, in this case, we need to temporarily use an account without multi-factor authentication.

After the second line of PowerShell code, the Azure AD Connect Health Agent for AD FS will be successfully configured and communicating to the Azure AD Connect Health endpoints, reporting:

Agent registration completed successfully.

Concluding

You can get the Azure AD Connect Health Agent for AD FS working on Server Core installations.

However, you can’t configure it, when using a privileged Azure Active Directory account that has multi-factor authentication enforced.

Archives

Categories

The information on this website is provided for informational purposes only and the authors make no warranties, either express or implied. Information in these documents, including URL and other Internet Web site references, is subject to change without notice. The entire risk of the use or the results from the use of this document remains with the user.Active Directory, Microsoft, MS-DOS, Windows, Windows NT, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. All other trademarks are property of their respective owners.